Even as cybercriminals continue to get better at what they do, people are becoming less forgiving toward businesses that fail to protect their data. About 30 percent of consumers surveyed by a major bank said they would “never return” to a small business that suffered a cybersecurity breach, up from 20 percent two years ago.

Meanwhile, the same survey — Bank of America Merchant Services’ Small Business Payments Spotlight — found that breaches of small businesses are becoming both more common and more costly. More than 1 in 5 SMBs reported a data breach within the last 24 months, up by 17 percent from two years ago. And 41 percent of small businesses said they’d suffered a breach that cost more than $50,000 to recover from.

Numbers like this should serve as a wake-up call. Every small business should develop a security strategy that accounts for all the data assets it has to protect, assesses its vulnerabilities, details a specific plan of action for securing those vulnerabilities and includes training for every employee.

Begin with a Cybersecurity Assessment

The starting point for any security strategy is an independent assessment, which offers an excellent way for businesses to gain insight into exactly what their vulnerabilities are and how to address them.

There are many different types of security assessments. At the low end is a vulnerability scan, which involves an automated testing tool that probes a business’s network to find weak spots. An example is CDW’s Threat Check, which we offer at no charge.

That's a good way to start, but we also recommend companies go beyond mere scanning to include a gap analysis and penetration testing. A gap analysis identifies the disparities between what the company is doing and the latest best practices. With a penetration test, white-hat hackers try to access a network in the same ways the bad guys do.

All recommendations from the assessment should be executed. But a great thing about a security assessment is that it doesn’t just identify threats to a business; it also helps that business prioritize where its limited funds are needed most urgently so leaders can properly prioritize their spend.

Employee Training Is Critical

It’s well known that within almost every business, the biggest security vulnerability is not an unpatched firewall or any other technology deficiency; it’s the people.

Yes, sophisticated attack tools are increasingly available to threat actors. But there’s still no more effective method for cybercriminals to access a corporate network than getting an unwitting employee to cough up the necessary credentials to let them walk right in.

This is why effective employee training is probably the most important investment any business can make in its own cybersecurity.

It’s also a relatively easy thing to do. Good training programs are designed to expose employees to the different types of threats out there so they can adopt a security-first mindset and know when to speak up and who to speak with in the event of a threat.

Consider the Entire Cybersecurity Landscape

The attack surface is growing as business networks continue to expand. In other words, the bad guys have more things to attack because organizations keep adding new user endpoints and various Internet of Things gadgets.

Merely securing the perimeter is no longer sufficient. It’s not possible anymore for a business to draw an imaginary fence around its network so it can focus on securing everything inside it. All those endpoints are connected to the network, and they must be secured too. Businesses that haven’t deployed a next-generation endpoint security solution are taking a big risk.

Good cybersecurity isn’t easy. It takes planning, companywide buy-in and a holistic strategy. But the resources exist for businesses to harden their defenses as much as possible, and the alternative is simply unacceptable.